Slashdot Mirror
Paul Vixie And David Maher On VeriSign Wildcarding
chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.
legally, is veri allowed to redirect requests to their own domain? if not, who has the rights to unused domain names?
Gee, that's nice, but in the meantime, it aids spammers, since I can no longer tell if the sender's address is from a valid domain. With Verisign's corruption of the root servers, *all* .com and .net domains will now come back as being valid.
You're telling me that if you get a "server not found" page, you're too stupid to figure out you misspelled something?
This is an absolute abuse of Verisign's position. They are contracted to *maintain* the database, not warp it to their own *commercial* purposes. If this was actually a valid service, they would have had no trouble with proposing it to the Internet standards bodies before implementing it. Instead, they're defying those organizations. Worse yet, they've actually put me in the position of agreeing with ICANN.
Why? Isn't this why we have computers: To alleviate boilerplate?
When you run a spellchecker, do you only ask it to flag misspellings without offering suggestions?
Though you've been modded flaimbait, I'm assuming you were simply posting from the perspective of a strictly web user, who could presumably be helped (emphasis on presumably) by being redirected to SiteFinder and pointed to the proper site.
I think the main thing that has admins screaming, however, is that SiteFinder breaks so many other services just to provide a questionable service for web surfers. Sure, surfers may benefit, but email admins, DNS admins, and many others are banging their heads against the wall because of the problems Verisign's divergence from accepted protocol has caused them.
Just a thought.
I don't run a spellchecker. Any Cocoa application can check my spelling as I type and underline misspelled words. So, uh, yes, I do just let it flag what I typed wrong. Since I know how to spell, it catches any typing mistakes and lets me correct them.
On the other hand, using software that thinks it knows what I want better than I do annoys me. Like if I'm sending a user a printout with the username and password I've assigned to them and the stupid work PC I'm using has Word setup to capitalize things automatically, I can accidentally send someone the wrong username when I typed it correctly, and get to deal with them when it doesn't work.
Don't blame me; I'm never given mod points.
It's a question of the duties of a provider of infrastructure.
.com and .net), Verisign is, as I said, a monopoly.
There's a certain relationship between a consumer of infrastructure and a provider of it. The consumer must trust the infrastructure to do what it is supposed to do, and nothing more.
This is no different from ISPs randomly redirecting users to their own branded search engine when you type in "www.google.com", or an ISP's employee intercepting passwords and using them to steal money.
Infrastructure providers inherently have a lot of control over the services they provide. There is a duty there to provide the service as expected, without changing the content that is carried.
Verisign's position as a chartered monopoly makes this duty even more important, because consumers have no choice to use an alternative.
I'm not sure what you mean by "No one's made use of it before"... No one else could make use of it (in
Other CCTLDs have used wildcards before, but no one much cares about some island that is abusing the CC system to make extra money.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
This started about 1995 when people begain to conflate the Web with the Internet.
Slashdot: Where nerds gather to pool their ignorance
I do. I run the DNS servers at an ISP, and I am planning to apply the ISC patch that restricts delegation from root servers (as soon as the bugs are shaken out of it -- give it a week or two.) I, and all the other sysadmins out there, decide whether SiteFinder works or not.
Yup - and the best part is to see Vixie being incredibly careful to always point out that TLDs that have always used wildcards should be exempt from the ban. He's got his pet zone, .museum, to take care of - and it definitely uses a wildcard. A bit of hypocrisy is refreshing now and then.
PV's not just the chairman of the ISC, he's the author of BIND. Obviously he knows that NXDOMAIN is not the same as a 404 response from a webserver. He's paraphrasing Verisign's justification: "VeriSign maintains that..."
That's one I won't be reading...
"Flyin' in just a sweet place,
Never been known to fail..."
But, do you really like that it's Versign doing this for you? Assuming you use IE, MSN already provided this service to you. Verisign has just exploited the DNS system to make their service come up in situations where MSN's used to come up. Other browser developers could have designed their own responses to the "NXDOMAIN" signal, but now Verisign has stopped returning "NXDOMAIN" and instead returns a redirect to their own site... That's what really rubs people the wrong way. Instead of returning the error code that people thought they could depend on, they're returning a redirect to a service you didn't ask for. Yeah, it's a pretty good service on its merits if they tried to sell it to you... but instead they're forcing it on some people who were happy with MSN's service or happy with the traditional error...
I believe this to be one of the motivating factors at play here.
Verisign can essentially force spammers to take wild shots in the dark. Now, instead of being able to scan for dead email addresses and domains, they have to mark all addresses on their list as current. They simply couldn't know whether an email address was taken offline because any bad address goes to the big Verisign server in the sky.
So this makes the spammers' work more expensive through higher fees from people like yourself who are actually running the bulk mail servers. More expensive == less incentive to do this crap.
On top of the very slim margins that spam brings in, this possible increase in the cost of spamming may just put an end to spam altogether (well, I can dream, can't I?).
Then use client side software, why should EVERYONE suffer for YOUR tastes.
Wow, I should not post when knackered.
I am surprised that Paul Vixie did not seem to exhibit much emotion regarding the Sitefinder situation - for someone who's been at the core of what we now know as the DNS for so many years (you would think it's like his own child:).
He seemed reserved, while calmly pointing out, part by part, what is wrong with Verisign's actions. More of this is called for from the important people in the Internet technical and business community - the way community coverage has been heading, and the way comments are worded on Slashdot and other sites, is leading to resentment, anger, name-calling, and joking about Verisign and their policies, creating a situation in which the community is less likely to be taken seriously by Verisign, Microsoft, AOL, etc. Mr. Vixie also mentions that there are smart people at Verisign, reminding us that the Sitefinder "service" is the brainchild of but a handful of people, maybe even just one or two. It reminds me that as engineers, we still have to work with the other guy at a certain level.. becoming enemies doesn't help anything.
Mr. Vixie is saying that perhaps ICANN should "do something about it". This whole situation should be approached by attorneys general, from the both the branding/business practices angle mentioned by Mr. Vixie, and also from the consumer rights angle (much like telemarketers). Right now the average consumer can get effectively get rid of telemarketers, thanks to recent laws, with a single verbal or written request, but the Sitefinder service can only be circumvented using DNS tools by an engineer or technician "in charge" of the DNS servers. The web-browsing consumer has no way around this by themselves.
Whether it's SiteFinder, Google, or even Slashdot, the issue is not so much (or at least not only) the fact that a website comes up instead of a 404. It's the fact that practically everything automated breaks because this "service" is oriented toward humans. Consider:
I'm sure there are others, but the point is that what's good for human users is not good for computers, and it should be the client, i.e. the thing interacting directly with the human user, that interprets the computer responses and makes them easier to use for humans. (There wouldn't be nearly as much uproar over this if Verisign had, say, made a deal with Microsoft to redirect all NXDOMAIN queries to SiteFinder; in that case it would be an Internet Explorer, i.e. client issue, and DNS itself would be unharmed.)
Am I the only one who finds it ironic that Verisign's slogan is "The Value of Trust"? They sure don't seem to be aware of just that, the value of the trust we have given them.
In the past, ICANN has always made a song and dance about the crucial need for DNS stability, yet now, in the face of a unilateral move that causes great instability, they meekly ask Verisign to please stop. If ICANN are too spineless to act, then the Department of Commerce needs to step in. Despite the contractual complexities (see Karl Auerbach's blog), Verisign have committed a fundamental breach of trust, and the DoC should reallocate responsibility for .net and .com as soon as practically possible.
My next sig will be ready soon, but subscribers can beat the rush
Terms of Use only apply to services you pay for and only to the extent of guarantees and the ability of the service provider to reject support. Someone holding up a sign in the middle of the sidewalk with an indemnity clause (which is actually a step up from this service since you have to actually intentionally find the Terms of Use) wouldn't hold up in clause, so I don't see how it'd work for any website you don't pay for.
nah... just watch them, say, remove verisign's key from the default set of authorities for signed certificates.
So you have a program which checks your spelling but you don't have a spellchecker. That's an interesting viewpoint. You'd never catch me using that crappy unleaded petrol; I much prefer the petrol with the lead taken out.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Lets remember that the IE capture of 502/503 responses is an APPLICATION solution to an APPLICATION level error. There is nothing wrong with this sort of solution.
At issue here is that Verisign is corrupting the DNS protocol itself in order to perform an application level service response. This is rather like using a bulldozer to plant tulips.
With those words (an absolute abuse) you just described most of what Verisign has done.
Folks should remember, this is the company that was contracted to *maintain* the database until one day they decided that they *owned* the database... (errr... okay... if I get paid to clean all the cars at the dealership can I decide one day that I own them all and get away with it?)
And yet somehow years after that magical acquisition of property rights they've still got the contracts. They've gotten away with all kinds of stuff and like a spoiled child they'll keep taking more until (if ever) someone takes away their privileges and sends them to time out.
Gotta agree with you that there's no way that any benefits that stupid Sitefinder page provides make up for the abuse of position and random chaos it's caused.
Quoth he
"It's all academic anyway..."